[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble becoming a member

On Tue, Sep 17, 2002 at 04:36:39PM -0600, Joel Baker wrote:

> > A $50 kit isn't going to get you a disguise to believably mask the facial
> > features that are most important in identifying people through such
> > things as police sketches.  $60 may get you a fake ID from a neighboring
> > state, but the whole point is to tighten the web enough so that
> > keysigners ARE familiar with the forms of IDs applicants use.  There are
> > enough risks with trying to conceal one's identity in a face-to-face
> > meeting that stealing a key is probably easier[0]... and that's a sign
> > that we're doing things right, IMHO.

> Don't do much theater work, do you? $50 of supplies is more than sufficient
> (as, in the amount used). I did specify a few hundred, if you must buy a
> complete set of the necessary materials (and will have quite a bit left
> over).

Actually, I have done some theater work, and not many stage makeup jobs
I've seen are seamless enough (even setting aside the fact that stage
makeup is intended for much different lighting conditions) to pass for
real flesh up close.  To pull that off requires a lot more than just $50
in supplies, it requires a serious investment of time.  If someone's
*that dedicated*, we're probably not going to keep them out no matter
what.  But that's not a casual attack.  Our system should be good enough
to keep out casual attackers.

> What do you risk, anyway? Unless the DD also happens to be a LEO, or
> suspects foul play beforehand and arranges for one... there isn't a lot
> they can do. You go away and try it again somewhere else. All that's really
> risked is time and possibly some money.

You think someone who'd already been caught out once would try *again*
when the community is abuzz with the news that someone tried to
infiltrate Debian? :)

If you wear a disguise while lying your way into the keyring, the danger
is that your peer will notice.  If you don't wear a disguise, the danger
is that once you've gotten in and done the damage, there's someone who
can describe you to the authorities.  Anyone who tries to pull off a
deception in light of these risks is either good enough that we'll never
catch them, or foolish enough that the one physical meeting is likely to
be enough to let us catch them.  In contrast, creating an Internet
persona and doing some Photoshop work is VERY low-risk, especially for
the type of casual attacker most likely to have the skillset to try to
infiltrate the project -- namely, a script kiddie.

Steve Langasek
postmodern programmer

Attachment: pgphE35ZTN5TM.pgp
Description: PGP signature

Reply to: